GoldenJackal is a new advanced persistent threat actor that targets government and diplomatic organizations in the Middle East and South Asia. Kaspersky Labs, a Russian cybersecurity company, has been monitoring the group’s actions since the middle of 2020 and has described them as both powerful and covert.
The campaign is focused on infecting users in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey with custom software that steals information, spreads it to other computers through USB drives, and monitors their activity.
Little is known about GoldenJackal, but they have likely been around for at least four years. Kaspersky claims it has been unable to trace the actor’s origin or identify its affiliation with other known threat actors, but the actor’s MO points to an espionage motive.
The threat actor’s efforts to stay out of the spotlight and blend in with the background are also indicative of state sponsorship.
The threat actor shares similar tactics with Turla, one of Russia’s best nation-state hacking groups. In one case, Turla and GoldenJackal infected the same victim machine two months apart.
It is currently unknown what initial vector was used to compromise the targeted PCs; nevertheless, evidence leads to trojanized Skype installations and malicious Microsoft Word documents.
Word documents have been seen using the Follina vulnerability (CVE-2022-30190) to spread the same malware that is spread via the installer, a.NET-based trojan known as JackalControl.
As its name suggests, JackalControl allows attackers to take remote control of a system and perform actions like uploading and downloading files or running arbitrary instructions.
The following are examples of other malware families that have been deployed by GoldenJackal.
JackalSteal is an implant designed to search for and upload files of interest from any storage medium, including removable USB devices, to a remote server. inJackalWorm is a worm that spreads via USB flash drives and installs the JackalControl malware on infected computers.
JackalPerInfo is a piece of malware that can steal information from your computer, including its metadata, folder contents, installed apps and processes, and even your browser’s saved credentials.
JackalScreenWatcher is a tool for taking screenshots at regular intervals and uploading them to a server managed by actors.
The threat actor is also notable because it uses compromised WordPress sites as a relay to send web requests to its real command-and-control (C2) server via a malicious PHP file.
“The group is probably trying to reduce its visibility by limiting the number of victims,” Giampaolo Dedola, a researcher at Kaspersky, said. “It appears that they are still making investments in their toolkit, as evidenced by the large number of variants available.”
Conclusion
Since 2019, an advanced persistent threat (APT) group, identified only by its codename GoldenJackal has been spying on government and diplomatic institutions across Asia. The threat actors have kept a low profile for stealth, picking their victims with great care and limiting the frequency of their attacks. Since 2020, Kaspersky has been monitoring GoldenJackal, and the company has just released a report detailing the group’s extensive activity across multiple countries, including Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey. According to Kaspersky, “GoldenJackal” is a sophisticated persistent threat (APT) group that has been up and active since 2019 and primarily targets government and diplomatic bodies in the Middle East and South Asia.
This gang has been operating for some time, but to our knowledge, they have never been officially identified or even named. It is not known what spreads the APT virus. Researchers have found evidence of phishing activities using malicious documents that exploit the Microsoft Office Follina vulnerability using the remote template injection technique. In addition, Kaspersky has discovered ‘Skype for Business’ installers that are tainted with malware and distribute it alongside a fake version of the program. Although GoldenJackal shares some code and TTP (techniques, tactics, and procedures) with Turla, it is being monitored by Kaspersky as its own activity cluster.
Security firm Kaspersky claims that GoldenJackal uses a suite of custom.NET malware tools to perform a wide range of malicious activities, such as credential dumping, data theft, malware loading, lateral movement, file exfiltration, and more. ‘JackalControl,’ the major payload used initially, grants remote control of the infected computer to the attackers. Malware can add Registry keys, Windows scheduled tasks, or Windows services to the operating system in order to remain active after being removed. Through HTTP POST requests, it gets encoded orders from the C2 server that instruct it to run arbitrary code, steal data, or download more payloads.
